VYPR

Vendor CVEs

Jenkins Project

All CVEs

1,577 total · sorted by risk
  • CVE-2016-4987MedFeb 9, 2017
    risk 0.35cvss 6.5epss 0.03

    Directory traversal vulnerability in the Image Gallery plugin before 1.4 in Jenkins allows remote attackers to list arbitrary directories and read arbitrary files via unspecified form fields.

  • CVE-2016-0790MedApr 7, 2016
    risk 0.35cvss 5.3epss 0.02

    Jenkins before 1.650 and LTS before 1.642.2 do not use a constant-time algorithm to verify API tokens, which makes it easier for remote attackers to determine API tokens via a brute-force approach.

  • CVE-2026-53442MedJun 10, 2026
    risk 0.34cvss 5.3epss 0.00

    Jenkins 2.567 and earlier, LTS 2.555.2 and earlier does not encrypt secrets from POST config.xml submissions before storing them in job configurations unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read…

  • CVE-2023-46660MedOct 25, 2023
    risk 0.34cvss 5.3epss 0.00

    Jenkins Zanata Plugin 0.6 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token hashes are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.

  • CVE-2023-46658MedOct 25, 2023
    risk 0.34cvss 5.3epss 0.01

    Jenkins MSTeams Webhook Trigger Plugin 0.1.1 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.

  • CVE-2023-46657MedOct 25, 2023
    risk 0.34cvss 5.3epss 0.01

    Jenkins Gogs Plugin 1.0.15 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.

  • CVE-2023-41934MedSep 6, 2023
    risk 0.34cvss 5.3epss 0.01

    Jenkins Pipeline Maven Integration Plugin 1330.v18e473854496 and earlier does not properly mask (i.e., replace with asterisks) usernames of credentials specified in custom Maven settings in Pipeline build logs if "Treat username as secret" is checked.

  • CVE-2023-40349MedAug 16, 2023
    risk 0.34cvss 5.3epss 0.01

    Jenkins Gogs Plugin 1.0.15 and earlier improperly initializes an option to secure its webhook endpoint, allowing unauthenticated attackers to trigger builds of jobs.

  • CVE-2023-40348MedAug 16, 2023
    risk 0.34cvss 5.3epss 0.01

    The webhook endpoint in Jenkins Gogs Plugin 1.0.15 and earlier provides unauthenticated attackers information about the existence of jobs in its output.

  • CVE-2023-39156MedJul 26, 2023
    risk 0.34cvss 5.3epss 0.00

    A cross-site request forgery (CSRF) vulnerability in Jenkins Bazaar Plugin 1.22 and earlier allows attackers to delete previously created Bazaar SCM tags.

  • CVE-2023-39155MedJul 26, 2023
    risk 0.34cvss 5.3epss 0.00

    Jenkins Chef Identity Plugin 2.0.3 and earlier does not mask the user.pem key form field, increasing the potential for attackers to observe and capture it.

  • CVE-2023-30521MedApr 12, 2023
    risk 0.34cvss 5.3epss 0.01

    A missing permission check in Jenkins Assembla merge request builder Plugin 1.1.13 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.

  • CVE-2023-30519MedApr 12, 2023
    risk 0.34cvss 5.3epss 0.00

    A missing permission check in Jenkins Quay.io trigger Plugin 0.1 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to the attacker-specified repository.

  • CVE-2023-30517MedApr 12, 2023
    risk 0.34cvss 5.3epss 0.00

    Jenkins NeuVector Vulnerability Scanner Plugin 1.22 and earlier unconditionally disables SSL/TLS certificate and hostname validation when connecting to a configured NeuVector Vulnerability Scanner server.

  • CVE-2022-45389MedNov 15, 2022
    risk 0.34cvss 5.3epss 0.01

    A missing permission check in Jenkins XP-Dev Plugin 1.0 and earlier allows unauthenticated attackers to trigger builds of jobs corresponding to an attacker-specified repository.

  • CVE-2022-43435MedOct 19, 2022
    risk 0.34cvss 5.3epss 0.01

    Jenkins 360 FireLine Plugin 1.7.2 and earlier programmatically disables Content-Security-Policy protection for user-generated content in workspaces, archived artifacts, etc. that Jenkins offers for download.

  • CVE-2022-43426MedOct 19, 2022
    risk 0.34cvss 5.3epss 0.01

    Jenkins S3 Explorer Plugin 1.0.8 and earlier does not mask the AWS_SECRET_ACCESS_KEY form field, increasing the potential for attackers to observe and capture it.

  • CVE-2022-43412MedOct 19, 2022
    risk 0.34cvss 5.3epss 0.01

    Jenkins Generic Webhook Trigger Plugin 1.84.1 and earlier uses a non-constant time comparison function when checking whether the provided and expected webhook token are equal, potentially allowing attackers to use statistical methods to obtain a valid webhook token.

  • CVE-2022-41248MedSep 21, 2022
    risk 0.34cvss 5.3epss 0.00

    Jenkins BigPanda Notifier Plugin 1.4.0 and earlier does not mask the BigPanda API key on the global configuration form, increasing the potential for attackers to observe and capture it.

  • CVE-2022-41235MedSep 21, 2022
    risk 0.34cvss 5.3epss 0.01

    Jenkins WildFly Deployer Plugin 1.0.2 and earlier implements functionality that allows agent processes to read arbitrary files on the Jenkins controller file system.

  • CVE-2022-34777MedJun 30, 2022
    risk 0.34cvss 5.4epss 0.72

    Jenkins GitLab Plugin 1.5.34 and earlier does not escape multiple fields inserted into the description of webhook-triggered builds, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

  • CVE-2022-34176MedJun 23, 2022
    risk 0.34cvss 5.4epss 0.77

    Jenkins JUnit Plugin 1119.va_a_5e9068da_d7 and earlier does not escape descriptions of test results, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Run/Update permission.

  • CVE-2021-21667MedJun 16, 2021
    risk 0.34cvss 5.4epss 0.76

    Jenkins Scriptler Plugin 3.2 and earlier does not escape parameter names shown in job configuration forms, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Scriptler/Configure permission.

  • CVE-2021-21649MedMay 11, 2021
    risk 0.34cvss 5.4epss 0.73

    Jenkins Dashboard View Plugin 2.15 and earlier does not escape URLs referenced in Image Dashboard Portlets, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with View/Configure permission.

  • CVE-2021-21648MedMay 11, 2021
    risk 0.34cvss 6.1epss 0.11

    Jenkins Credentials Plugin 2.3.18 and earlier does not escape user-controlled information on a view it provides, resulting in a reflected cross-site scripting (XSS) vulnerability.

  • CVE-2021-21630MedMar 30, 2021
    risk 0.34cvss 5.4epss 0.72

    Jenkins Extra Columns Plugin 1.22 and earlier does not escape parameter values in the build parameters column, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

  • CVE-2020-2155MedMar 9, 2020
    risk 0.34cvss 5.3epss 0.01

    Jenkins OpenShift Deployer Plugin 1.2.0 and earlier transmits configured credentials in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure.

  • CVE-2020-2149MedMar 9, 2020
    risk 0.34cvss 5.3epss 0.01

    Jenkins Repository Connector Plugin 1.2.6 and earlier transmits configured credentials in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure.

  • CVE-2019-10378MedAug 7, 2019
    risk 0.34cvss 5.3epss 0.01

    Jenkins TestLink Plugin 3.16 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

  • CVE-2019-10359MedJul 31, 2019
    risk 0.34cvss 6.3epss 0.01

    A cross-site request forgery vulnerability in Jenkins Maven Release Plugin 0.14.0 and earlier in the M2ReleaseAction#doSubmit method allowed attackers to perform releases with attacker-specified options.

  • CVE-2023-50771MedDec 13, 2023
    risk 0.33cvss 6.1epss 0.01

    Jenkins OpenId Connect Authentication Plugin 2.6 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks.

  • CVE-2022-46683MedDec 12, 2022
    risk 0.33cvss 6.1epss 0.01

    Jenkins Google Login Plugin 1.4 through 1.6 (both inclusive) improperly determines that a redirect URL after login is legitimately pointing to Jenkins.

  • CVE-2022-36922MedJul 27, 2022
    risk 0.33cvss 6.1epss 0.01

    Jenkins Lucene-Search Plugin 370.v62a5f618cd3a and earlier does not escape the search query parameter displayed on the 'search' result page, resulting in a reflected cross-site scripting (XSS) vulnerability.

  • CVE-2022-34182MedJun 23, 2022
    risk 0.33cvss 6.1epss 0.01

    Jenkins Nested View Plugin 1.20 through 1.25 (both inclusive) does not escape search parameters, resulting in a reflected cross-site scripting (XSS) vulnerability.

  • CVE-2022-34178MedJun 23, 2022
    risk 0.33cvss 6.1epss 0.01

    Jenkins Embeddable Build Status Plugin 2.0.3 allows specifying a 'link' query parameter that build status badges will link to, without restricting possible values, resulting in a reflected cross-site scripting (XSS) vulnerability.

  • CVE-2021-21684MedOct 6, 2021
    risk 0.33cvss 6.1epss 0.01

    Jenkins Git Plugin 4.8.2 and earlier does not escape the Git SHA-1 checksum parameters provided to commit notifications when displaying them in a build cause, resulting in a stored cross-site scripting (XSS) vulnerability.

  • CVE-2021-21673MedJun 30, 2021
    risk 0.33cvss 6.1epss 0.02

    Jenkins CAS Plugin 1.6.0 and earlier improperly determines that a redirect URL after login is legitimately pointing to Jenkins, allowing attackers to perform phishing attacks.

  • CVE-2021-21666MedJun 10, 2021
    risk 0.33cvss 6.1epss 0.01

    Jenkins Kiuwan Plugin 1.6.0 and earlier does not escape query parameters in an error message for a form validation endpoint, resulting in a reflected cross-site scripting (XSS) vulnerability.

  • CVE-2021-21613MedJan 13, 2021
    risk 0.33cvss 6.1epss 0.01

    Jenkins TICS Plugin 2020.3.0.6 and earlier does not escape TICS service responses, resulting in a cross-site scripting (XSS) vulnerability exploitable by attackers able to control TICS service response content.

  • CVE-2021-21610MedJan 13, 2021
    risk 0.33cvss 6.1epss 0.01

    Jenkins 2.274 and earlier, LTS 2.263.1 and earlier does not implement any restrictions for the URL rendering a formatted preview of markup passed as a query parameter, resulting in a reflected cross-site scripting (XSS) vulnerability if the configured markup formatter does not…

  • CVE-2020-2207MedJul 2, 2020
    risk 0.33cvss 6.1epss 0.01

    Jenkins VncViewer Plugin 1.7 and earlier does not escape a parameter value in the checkVncServ form validation endpoint, resulting in a reflected cross-site scripting (XSS) vulnerability.

  • CVE-2020-2169MedMar 25, 2020
    risk 0.33cvss 6.1epss 0.01

    A form validation endpoint in Jenkins Queue cleanup Plugin 1.3 and earlier does not properly escape a query parameter displayed in an error message, resulting in a reflected XSS vulnerability.

  • CVE-2012-4441MedNov 18, 2019
    risk 0.33cvss 6.1epss 0.02

    Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML in the CI game plugin.

  • CVE-2012-4440MedNov 18, 2019
    risk 0.33cvss 6.1epss 0.02

    Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML in the Violations plugin.

  • CVE-2019-10405MedSep 25, 2019
    risk 0.33cvss 5.4epss 0.66

    Jenkins 2.196 and earlier, LTS 2.176.3 and earlier printed the value of the "Cookie" HTTP request header on the /whoAmI/ URL, allowing attackers exploiting another XSS vulnerability to obtain the HTTP session cookie despite it being marked HttpOnly.

  • CVE-2019-10372MedAug 7, 2019
    risk 0.33cvss 6.1epss 0.01

    An open redirect vulnerability in Jenkins Gitlab Authentication Plugin 1.4 and earlier in GitLabSecurityRealm.java allows attackers to redirect users to a URL outside Jenkins after successful login.

  • CVE-2019-10336MedJun 11, 2019
    risk 0.33cvss 6.1epss 0.01

    A reflected cross site scripting vulnerability in Jenkins ElectricFlow Plugin 1.1.6 and earlier allowed attackers able to control the output of the ElectricFlow API to inject arbitrary HTML and JavaScript in job configuration forms containing post-build steps provided by this…

  • CVE-2018-1000416MedJan 9, 2019
    risk 0.33cvss 6.1epss 0.01

    A reflected cross-site scripting vulnerability exists in Jenkins Job Config History Plugin 2.18 and earlier in all Jelly files that shows arbitrary attacker-specified HTML in Jenkins to users with Job/Configure access.

  • CVE-2018-1000407MedJan 9, 2019
    risk 0.33cvss 6.1epss 0.02

    A cross-site scripting vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/model/Api.java that allows attackers to specify URLs to Jenkins that result in rendering arbitrary attacker-controlled HTML by Jenkins.

  • CVE-2016-0789MedApr 7, 2016
    risk 0.33cvss 6.1epss 0.02

    CRLF injection vulnerability in the CLI command documentation in Jenkins before 1.650 and LTS before 1.642.2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

Page 17 of 32